Quick question regarding Ingress Filtering.

Viewing 9 reply threads
  • Author
    Posts
    • #8286
      ttyl1333
      Participant

      In the CEH Study Guide Book, the following is mentioned as part of Ingress Filtering – ”  Although this doesn’t stop an attack from occurring, it
      does make it much easier to track down the source of the attack and terminate the attack quickly. “

      Why doesn’t Ingress Filtering stop an attack ?

      I thought it stops packets which contains unapproved IP addresses in its header to enter the network ?

      Thanks for any help.

    • #52198
      cd1zz
      Participant

      It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application….which is allowed by the ingress filtering.

    • #52199
      m0wgli
      Participant

      @cd1zz wrote:

      It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application….which is allowed by the ingress filtering.

      AFAIK, that would be considered port filtering, ingress filtering is IP address based.

      @ttyl1333 wrote:

      I thought it stops packets which contains unapproved IP addresses in its header to enter the network ?

      I think they are looking at this from the perspective that an attacker can spoof the IP address in the header. However, it’s still possible to detect that behaviour.

    • #52200
      ttyl1333
      Participant

      @m0wgli wrote:

      I think they are looking at this from the perspective that an attacker can spoof the IP address in the header. However, it’s still possible to detect that behaviour.

      Ahh okay thanks  ;D

    • #52201
      prats84
      Participant

      Ingress filter … yes mainly from Spoofing and sort of route leaking etc if seen from a ISP’s network view.

      you could lookat RFC 2827 which states everything in detail.

    • #52202
      cd1zz
      Participant

      I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!

    • #52203
      prats84
      Participant

      For Enterprise or small business sized network, I consider egress as more important to ingress as it serves as filter to drop traffic leaving your network.

    • #52204
      dynamik
      Participant

      @cd1zz wrote:

      I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!

      This isn’t directed at anyone who responded in this thread, but aside from garbage CEH trivia questions, I don’t think there is a difference.

      This seems to have caught on from the RFCs (2827 is actually superseded by 3704). However, these are specifically written for mitigating DoS attacks for service providers/large networks. They aren’t literally defining the term.

      There is no legitimate reason for ingress filtering to not mean the exact opposite of egress filtering.

    • #52205
      cd1zz
      Participant

      Good to know I’m not totally crazy.

    • #52206
      prats84
      Participant

      Not making a argument or anything, just sharing my experience.

      -3704 yes is an update to 2827, so it supersedes as such, but still  2827 is used to refer to uRPF as a base. Even CCIE v4 exams still use 2827 lol … to test on.

      – I do agree about ingress and egress as they are basically to block invalid traffic to enter or leave the network respectively, Whatever it maybe Spooing, Smurf etc.

      Having ingress we allow certain things to enter our network.

      However egress can be used to identify any anomaly. Egress usually let almost all IP traffic out of network (expect sourced from 1918, Bogon,  multicast,  and even some ftp, tftp, protocols).

      I like to use egress to find out a sudden spike in outbound bandwidth and random ports sending large traffic; which is useful is end machines have been part of a bonet or a virus. Egress helps to quickly stop these attacks going out of the network. Once things are more clear on analysis, acls close the source of malicious activity can be applied.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?